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Abstract 

We  introduce  differential  game  logic  (clG£)  for  specifying  and  verifying  properties  of  hybrid 
games,  i.e.,  determined,  sequential/dynamic,  non-cooperative,  zero-sum  games  of  perfect  infor¬ 
mation  on  hybrid  systems  that  combine  discrete  and  continuous  dynamics.  Unlike  hybrid  systems, 
hybrid  games  allow  choices  in  the  system  dynamics  to  be  resolved  by  different  players  with  differ¬ 
ent  objectives.  The  logic  clG£  can  be  used  to  study  properties  of  the  resulting  adversarial  behavior. 
It  unifies  differential  dynamic  logic  for  hybrid  systems  with  game  logic.  We  define  a  regular  modal 
semantics  for  clG£,  present  a  proof  calculus  for  clG£,  and  prove  soundness.  We  identify  separating 
axioms,  i.e.,  the  axioms  that  distinguish  clG£  and  its  game  aspects  from  logics  for  hybrid  systems. 
We  also  define  an  operational  game  semantics,  prove  equivalence,  and  prove  determinacy. 


1  Introduction 


Hybrid  systems  [Hen96]  are  dynamical  systems  that  combine  discrete  dynamics  and  continuous 
dynamics.  They  are  important  for  modeling  systems  that  use  computers  to  control  physical  sys¬ 
tems.  Hybrid  systems  allow  discrete  jump  assignments  for  discrete  dynamics  and  differential 
equations  for  continuous  dynamics.  They  combine  conditional  switching,  nondeterminism,  and 
repetition.  Hybrid  systems  are  undecidable  [Hen96,  AM98,  CLOO],  but  nevertheless  the  focus  of 
many  successful  verification  approaches.  They  have  a  complete  axiomatization  relative  to  differ¬ 
ential  equations  in  a  logic  called  differential  dynamic  logic  (d£)  [Pla08,  Plal2b,  Plal2a],  which 
extends  Pratt’s  dynamic  logic  of  conventional  discrete  programs  [Pra76]  to  hybrid  systems. 

In  this  paper,  we  consider  multi-agent  hybrid  systems,  where  two  agents  act  and  we  are  uncer¬ 
tain  how  they  will  interact  with  each  other.  Agents  often  have  only  limited  knowledge  about  their 
environment  or  about  the  exact  future  behavior  of  other  agents.  In  that  case,  the  system  turns  into  a 
game  in  which  every  agent  has  a  set  of  actions  to  choose  from  as  the  system  evolves.  Each  agent  can 
control  its  own  actions  to  realize  its  own  objective  but  has  to  be  prepared  to  handle  all  possible  ac¬ 
tions  by  other  agents  who  may  follow  other  objectives.  Because  the  agents  play  on  a  hybrid  system, 
we  obtain  a  hybrid  game,  i.e.,  a  game  of  two  agents  on  a  hybrid  system  [TPS98,  TLSOO,  VPVDl  1]. 
Hybrid  systems  also  allow  for  nondeterminism  and  previous  logics  can  be  used  to  prove  proper¬ 
ties  about  all  (d£  formula  [a](j))  or  some  ({a)(j))  ways  of  resolving  it  [Pla08].  In  hybrid  systems, 
exactly  one  entity  chooses  how  to  resolve  the  nondeterminism.  In  hybrid  games,  instead,  two  play¬ 
ers  have  the  opportunity  to  resolve  nondeterministic  choices  interactively,  based  on  the  outcome 
that  previous  decisions  by  the  other  player  have  had.  Hybrid  games  are  sequential/dynamic,  non- 
cooperative  zero-sum  two-player  games  of  perfect  information  played  on  hybrid  systems.  They 
are  based  on  discrete  games  [vNM55,  Nas51],  which  have  been  studied  more  exhaustively.  Zero- 
sum  two-player  games  are  general  in  that  any  non-zero  sum  n-player  game  reduces  to  a  zero-sum 
(n  -f  l)-player  game  [vNM55,  56.2.2],  and  any  n-player  zero-sum  game  can  be  based  on  zero-sum 
two-player  games  of  a  player  against  an  aggregate  player  [vNM55,  25.2].  Note  that,  even  if  the 
agents  do  not  necessarily  actively  pursue  the  interest  to  spoil  each  others’  objectives,  they  may 
still  do  so  out  of  ignorance,  or  because  their  respective  actions  interfere.  Every  agent,  thus,  has  to 
choose  his  actions  in  some  way  while  being  prepared  that  other  agents  could  choose  any  of  their 
actions,  which  is  an  adversarial  resolution  of  the  nondeterminisms  in  the  game. 

Games  and  logic  have  been  shown  to  interact  fruitfully  in  many  ways  [HS97].  We  focus  on 
using  logic  to  specify  and  verify  properties  of  hybrid  games.  Our  approach  to  verifying  hybrid 
games  is  inspired  by  Parikh’s  game  logic  [Par85,  PP03].  Game  logic  generalizes  (propositional 
discrete)  dynamic  logic  to  discrete  games  played  on  a  finite  state  spaces.  We  introduce  a  logic, 
differential  game  logic  (cG£),  that  generalizes  differential  dynamic  logic  (d£)  [Pla08,  Plal2b, 
Plal2a]  to  hybrid  games  and,  simultaneously,  generalizes  game  logic  [Par85,  PP03]  to  hybrid 
systems  with  their  uncountable  state  spaces  and  interacting  discrete  and  continuous  dynamics. 

The  logic  clG£  we  present  here  has  some  similarity  with  our  stochastic  differential  dynamic 
logic  (Sd£)  [Plall],  because  both  address  the  issue  of  how  to  verify  properties  of  the  system  dy¬ 
namics  with  partially  uncertain  behavior.  Both  approaches  do,  however,  address  uncertainty  in 
fundamentally  different  ways.  Sd£  takes  a  probabilistic  perspective  on  uncertainty  in  the  system 
dynamics.  The  clG£  approach  put  forth  in  this  paper,  instead,  takes  an  adversarial  perspective 
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on  uncertainty.  Both  views  on  how  to  handle  uncertain  behavior  are  useful  but  serve  different 
purposes,  depending  on  the  nature  of  the  system  analysis  question  at  hand.  A  probabilistic  un¬ 
derstanding  of  uncertainty  can  be  superior  whenever  good  information  is  available  about  the  dis¬ 
tribution  of  choices  made  by  the  environment.  Whenever  that  is  not  possible,  adversarial  views 
are  more  appropriate,  since  they  do  not  lead  to  the  inadequate  biases  that  arbitrary  probabilistic 
assumptions  would  impose.  Security  questions  about  hybrid  systems  lead  to  inherently  adversarial 
situations.  Controller  synthesis  for  hybrid  systems  is  another  application  that  reduces  to  a  hybrid 
game  [VPVDll]. 

Our  primary  contributions  are  that  we  identify  the  logical  essentials  of  hybrid  games  and  their 
game  combinators,  introduce  differential  game  logic,  a  semantics,  and  proof  calculus,  and  that  we 
characterize  what  constitutes  the  fundamental  difference  of  hybrid  systems  proving  compared  to 
hybrid  games  proving.  Furthermore,  we  relate  this  semantics  to  a  game-theoretical  operational 
game  semantics,  prove  equivalence,  and  prove  determinacy. 


2  Differential  Game  Logic 

The  games  we  consider  have  no  draws  and  if  a  player  is  deadlocked,  he  loses.  If  the  game  com¬ 
pletes  without  deadlock,  the  player  who  reaches  one  of  his  winning  states  wins.  Thus,  exactly  one 
player  wins  each  game  play,  since  the  winning  states  are  complementary.  Our  games  are  zero-sum 
games,  i.e.,  if  one  player  wins,  the  other  one  loses,  and  vice  versa,  with  player  payoffs  ±1.  Classi¬ 
cally,  the  two  players  are  called  Ange/  and  Demon.  Our  games  are  non-cooperative  and  sequential 
games.  That  is,  the  players  do  not  negotiate  binding  contracts  (beyond  what  is  represented  in  the 
rules  of  the  game),  but  can  choose  to  act  at  will.  Furthermore,  the  games  are  sequential  (or  dy¬ 
namic),  i.e.,  the  game  proceeds  in  a  series  of  steps.  At  each  step,  exactly  one  of  the  players  can 
choose  an  action  and  his  next  action  can  be  based  on  the  outcome  of  the  last  action  (by  the  other 
player  or  himself,  whoever  moved  last)  and,  thus,  may  depend  on  the  previous  choices  determining 
the  current  state. 

The  hybrid  games  of  differential  game  logic  clG£  are  defined  by  the  following  grammar  (a,  /) 
are  hybrid  games,  x  a  vector  of  variables,  9  a  vector  of  terms  of  the  same  dimension,  H  a  formula 
of  first-order  arithmetic,  and  0  is  a  dGC  formula,  usually  first-order): 

a,l3  ::=  x  :  =  9  \  7 f  \  x'  =  6  Sz  H  \  a  U  /3  \  a;  /3  \  a*  \ 

The  formulas  of  differential  game  logic  clG£  are  defined  by  the  following  grammar  (0, 0  are  clG£ 
formulas,  9i  are  terms,  x  a  variable,  and  a  is  a  hybrid  game): 

0, 0  ::=  6^1  >  6*2  I  -'f  |  0  A  0  |  3a;  0  |  (q;)0 

The  operator  [a]  dual  to  {a)  is  defined  by  [q;]0  =  -'(q;)-'0.  Operators  >,  =,  <,  <,  V,  — )■,  f-)-,  3a; 
can  be  defined  as  usual,  e.g.,  Va;  0  =  -i3a;  ->0.  Formula  (a)0  expresses  that  Angel  has  a  winning 
strategy  to  achieve  0  in  game  a,  i.e.,  Angel  has  a  strategy  to  reach  a  state  satisfying  formula  0  when 
playing  game  a,  no  matter  what  strategy  Demon  chooses.  The  formula  [q;]0  expresses  that  Angel 
does  not  have  a  winning  strategy  to  achieve  ->0  in  game  a.  This  is  equivalent  to  Demon  having  a 
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winning  strategy  to  achieve  0,  because,  any  way  how  Demon  plays  to  prevent  Angel  from  winning 
is  a  winning  strategy  for  Demon,  since  there  are  no  draws  and  the  game  cannot  be  played  infinitely 
long.  That  is,  our  games  are  determined,  i.e.,  from  each  state  and  for  each  winning  condition  0, 
either  Angel  has  a  winning  strategy  or  Demon  has  a  winning  strategy.  Determinacy  follows  from 
the  Borel  determinacy  theorem  [Kec94,  Theorem  20.6];  see  Section  4  for  details. 

The  atomic  games  of  clG£  are  assignments,  continuous  evolutions,  and  tests.  In  the  determin¬ 
istic  assignment  game  x:=  9,  the  value  of  variable  x  changes  instantly  and  deterministically  to 
that  of  9  without  any  choice  to  resolve.  In  the  continuous  evolution  game  x'  =  9  k.H,  the  duration 
of  the  evolution  of  the  continuous  evolution  along  differential  equation  x'  =  9  h  Angel’s  choice, 
but  Angel  is  not  allowed  to  choose  a  duration  that  would  cause  the  state  to  leave  the  region  where 
formula  H  holds.  In  particular,  Angel  is  deadlocked  and  loses  if  H  does  not  hold  in  the  current 
state,  because  she  cannot  even  evolve  for  duration  0  then.  The  test  game  or  challenge  ?0  has  no 
effect  on  the  state,  except  that  Angel  loses  the  game  if  dGC  formula  0  does  not  hold  in  the  current 
state. 

The  compound  games  are  sequential  composition,  choice,  repetition,  and  duals.  The  sequential 
game  a;  0  is  the  game  that  first  plays  game  a  and,  when  game  a  terminates  without  a  player 
having  won  already,  continues  by  playing  game  (3.  In  the  choice  game  a  U  0,  Angel  chooses 
whether  to  play  game  a  or  play  game  0.  The  repeated  game  a*  plays  game  a  repeatedly  and 
Angel  chooses,  after  each  play  of  a  that  terminates  without  a  player  having  won  already,  whether 
to  play  the  game  again  or  not,  but  she  cannot  choose  to  play  infinitely  often  (any  number  n  G  N 
of  repetitions  is  permitted,  including  zero).  Thus,  we  consider  games  on  non-Zeno  hybrid  system 
runs  [DNOO,  Hen96].  The  dual  game  a'^  is  the  same  as  playing  the  game  a  with  the  roles  of  the 
players  swapped.  That  is,  in  Demon  decides  all  choices  that  Angel  has  in  a,  and  Angel  decides 
all  choices  in  that  Demon  has  in  a.  Players  who  are  supposed  to  move  but  deadlock  lose.  Test 
game  ?0  causes  Angel  to  lose  if  formula  0  does  not  hold.  Dual  test  game  (?0)'^  causes  Demon  to 
lose  if  0  does  not  hold. 

Demonic  choice  between  game  a  and  0  is  U  0'^)'^  and  denoted  by  a  fl  0,  in  which  either 
the  game  a  or  the  game  0  is  played,  by  Demon’s  choice.  Demonic  repetition  of  game  a  is 
and  denoted  by  ,  in  which  a  is  repeated  as  often  as  Demon  chooses  to.  In  ,  Demon  chooses 
after  each  play  of  a  whether  to  repeat  the  game,  but  cannot  play  infinitely  often.  The  dual  operator 
is  the  only  syntactic  difference  of  clG£  for  hybrid  games  compared  to  d£  for  hybrid  systems 
[Pla08,  Plal2b,  Plal2a],  but  a  fundamental  one,  because  it  is  the  only  operator  where  control 
passes  from  Angel  to  Demon  or  back.  The  dual  differential  equation  {x'  =  9hHY  follows  the 
same  dynamics  as  x'  =  9  H  except  that  Demon  chooses  the  duration.  Dual  assignment  {x  :=9Y 
is  equivalent  to  a;  :=  6^,  because  it  involves  no  choices. 

Observe  that  every  play  of  a  game  is  won  or  lost  by  exactly  one  player.  Even  a  repeated  game 
a*  has  only  one  winner,  because  the  game  stops  as  soon  as  one  player  has  won.  This  is  different 
than  the  classical  repetition  of  game  plays  (including  winning/losing),  where  the  purpose  is  for  the 
players  to  repeat  the  same  game  over  and  over  again,  win  and  lose  multiple  times,  and  study  who 
wins  how  often  in  the  long  run  with  mixed  strategies.  In  our  scenario,  the  overall  game  is  played 
once  (even  if  some  part  of  it  constitutes  in  repeating  action  choices)  and  stops  as  soon  as  either 
Angel  or  Demon  have  won.  In  applications,  the  system  is  already  in  trouble  even  if  it  loses  the 
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game  only  once,  because  that  may  entail  that  a  safety-critical  property  has  already  been  violated. 


3  Semantics 

A  state  s  is  a  mapping  from  variables  to  M.  The  set  of  states  is  denoted  by  S 
Euclidean  space  M”  when  n  is  the  number  of  variables.  We  use  sf  to  denote 
with  state  s  except  for  the  interpretation  of  variable  x,  which  is  changed  to  d 
value  of  term  6*  in  s  by  [6*]^.  The  semantics  of  a  dfjjC  formula  f  is  the  subset 
which  0  is  true.  It  is  defined  as  follows 

1.  I^i  >  6^2]  =  {s  G  iS  :  [6'i]^  >  [6*2]^} 

2.  1^0]  =  5  \  [0] 

3.  10  A  0]  =  10]  n  10] 

4.  px  0]  =  {s  G  5  ;  G  |0]  for  some  r  G  M} 

5.  |(a)0]  = 

A  clG£  formula  0  is  valid,  written  1=  0,  iff  [0]  =  S.  The  semantics  of  a  hybrid  game  is  not  a 
reachability  relation  of  a  hybrid  system,  because  the  interactions  of  the  players  have  to  be  taken 
into  account.  The  semantics  of  a  hybrid  game  a  is  a  function  that,  for  each  set  of  Angel’s 
winning  states  X  S  gives  the  set  of  states  s^q,(X)  from  which  Angel  has  a  winning  strategy  to 
achieve  X  (whatever  strategy  Demon  chooses).  It  is  defined  as  follows 

1.  =  {s  G  5  :  *  G  X} 

2.  <,x'=ehH{X)  =  {93(0)  G  S  :  (p{r)  G  X  for  some  0  <  r  G  M  and  some  (differentiable) 
(f-.  [0,r]  ^  5  such  that  ^^^(C)  =  P]^(^)  and  <^(0  G  {Hj  for  all  0  <  C  <  r} 

3.  ^v^(X)  =  [0|nX 

4.  ?«u/3(X)  =?4X)U^;3(X) 

5.  ^„;;3(X)  =  <^„(?/3(X)) 

6.  w  (X)  =  f]{Z  CS:XU  ^^{Z)  C  Z} 

7.  wW  =‘5\<^„(5\X) 

Strategies  do  not  occur  explicitly  in  the  clG£  semantics,  because  it  is  based  on  the  existence  of 
winning  strategies,  not  the  strategies  themselves.  The  semantics  is  fully  compositional,  i.e.,  the 
semantics  of  a  compound  dG£  formula  is  a  simple  function  of  the  semantics  of  its  pieces,  and  the 
semantics  of  a  compound  hybrid  game  is  a  function  of  the  semantics  of  its  pieces.  In  particular, 
existence  of  a  strategy  in  game  a  to  achieve  X  is  independent  of  any  game  and  clG£  formula 


and  isomorphic  to  a 
the  state  that  agrees 
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surrounding  a,  but  just  depends  on  the  remaining  game  a  itself  and  on  the  goal  X.  By  an  inductive 
argument,  this  reproves  the  classical  result  that  we  can  focus  on  memoryless  strategies,  because  the 
existence  of  strategies  does  not  depend  on  surroundings,  hence,  by  working  bottom  up,  the  strategy 
itself  cannot  depend  on  past  states  and  choices,  only  the  current  state,  remaining  game,  and  goal. 

Monotonicity,  i.e.,  C  for  all  X  C  F,  is  easy  to  check  for  each  case.  Hence,  the 

least  fixpoint  in  is  well-defined.  The  equivalence  [q\4>  <H-  -1(0;) ->0  has  two  interesting 

consequences.  The  direction  ^  XX)  expresses  that  the  game  is  consistent,  i.e.,  from  any 

state,  at  most  one  of  the  players  can  have  a  winning  strategy  for  complementary  winning  conditions 
(p  and  -10,  respectively.  The  direction  (a)0  V  represents  that  the  game  is  determined,  i.e., 
from  any  state,  at  least  one  of  the  players  has  a  winning  strategy  to  achieve  complementary  winning 
conditions  0  and  -10,  respectively;  see  Section  4. 

Note  that  clG£  games  branch  finitely  when  the  players  decide  which  game  to  play  in  a  U  0  and 
a  n  0,  respectively.  The  games  a*  and  also  branch  finitely,  because,  after  each  repetition  of 
a,  the  respective  player  (Angel  for  a*  and  Demon  for  a^)  may  decide  whether  to  repeat  again  or 
stop.  Repeated  games  still  lead  to  countably  infinitely  many  branches,  because  a  repeated  game 
can  be  repeated  any  natural  number  of  times.  The  game  branches  uncountably  infinitely,  how¬ 
ever,  when  the  players  decide  how  long  to  evolve  along  differential  equations  m  x'  =  6  k,H  and 
{x'  =  9  k.  HY,  because  uncountably  many  nonnegative  real  number  could  be  chosen  as  a  duration 
(unless  the  system  leaves  H  immediately). 

In  {a*)4>.  Demon  already  has  a  winning  strategy  if  he  only  has  a  strategy  that  prevents  0 
indefinitely,  because  Angel  eventually  has  to  stop  repeating.  Dually,  in  (q;^)0  =  [q;*]0,  Angel 
already  has  a  winning  strategy  if  she  has  a  strategy  that  prevents  0  indefinitely,  because  Demon 
eventually  has  to  stop  repeating. 

Note  that  it  is  crucial  that  we  have  chosen  finite  repetition  by  the  least  fixpoint  for  the  semantics 
of  a* .  Otherwise,  the  filibuster  formula  would  not  have  a  well-defined  truth-value: 

{{x  :=  0  n  a;  :=  l)*)a;  =  0 

The  game  in  this  formula  never  deadlocks  (stalemates),  because  every  player  always  has  a  re¬ 
maining  move  (here  even  two).  But,  without  the  least  fixpoint,  the  game  would  have  perpet¬ 
ual  checks,  because  no  strategy  helps  either  player  win  the  game;  see  Fig.  1.  Demon  can  move 
a;  :=  1  and  would  win,  but  Angel  observes  this  and  decides  to  repeat,  upon  which  Demon  can 
again  move  x  :=  1.  Thus  (unless  Angel  is  lucky  starting  from  an  initial  state  where  she  has  won 
already)  every  strategy  that  one  player  has  to  reach  a;  =  0  or  a;  =  1  could  be  spoiled  by  the 
other  player  and  the  game  would  not  be  determined.  Every  player  can  let  his  opponent  win,  but 
would  not  have  a  strategy  to  win  himself.  Because  of  the  least  fixpoint  =  icZ.X  U  qa{Z) 

in  the  semantics,  however,  repetitions  have  to  stop  eventually  (after  an  arbitrary  and  unbounded 
but  finite  number  of  rounds).  That  is  why,  in  the  example  in  Fig.  1,  Demon  wins  and  the  for¬ 
mula  is  false,  unless  a;  =  0  already  holds  initially.  Likewise,  the  dual  filibuster  game  formula 
a;  =  0  — )■  ((a;  :=  0  U  a;  :=  l)^)a;  =  0  is  (determined  and)  valid  in  clG£,  because  Demon  has  to  stop 
repeating  eventually. 

Lemma  1  (Scott-continuity  of  non-interactive  clG£).  For  ‘^-free  a,  the  semantics  is  Scott-continuous, 
i-e.,  qa{[jnei^n)  =  qa{Xn)  for  all  families  {Xn}n&i  with  index  set  1. 
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Figure  1:  The  filibuster  game  formula  {{x  :=  0  fl  x  :=  l)*)x  =  0  is  false  (unless  x  =  0  initially), 
but  would  be  non-determined  without  least  fixpoints  (strategies  follow  thiek  aetions).  Here  and  in 
subsequent  figures,  we  illustrate  Angel’s  aetion  choices  by  dashed  edges  from  dashed  diamonds. 
Demon’s  action  choices  by  solid  edges  from  solid  squares,  and  use  double  lines  to  indicate  identical 
states  with  the  same  continuous  state  and  a  subgame  of  the  same  structure  of  subsequent  choices. 
We  mark  states  where  Angel  wins  by  o  and  states  where  Demon  wins  by  ° .  If  a  winning  state  can 
be  reached  by  a  winning  strategy,  we  enclose  the  mark  in  a  circle  @  or  @,  respectively. 


A  proof  is  in  Appendix  A.  Interactive  games  with  both  duals  and  repetitions,  however,  do  not 
generally  have  a  Scott-continuous  semantics: 

oo  oo 

M  =  <^j^^+ix(lJ(-cx),n])  ^  IJ  ^j^^+ix((-cx),n])  =  0 

n=l  n=l 

'• - V - ' 

R 

since  1=  (?/:=?/  + 1^)  3n :  N  ?/<  n  but  3n:N  {y  :=y  +  l^)y  <  n 

true 

Observe  that  this  is  related  to  a  failure  of  the  Barcan  axiom  (Section  6). 
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4  Operational  Game  Semantics 

In  order  to  relate  the  intuition  of  interactive  game  play  to  the  semantics  of  hybrid  games,  we 
show  an  operational  semantics  for  hybrid  games  that  is  more  complicated  than  the  regular  modal 
semantics  from  Section  3  but  makes  strategies  explicit  and  more  directly  reflects  the  intuition  how 
hybrid  games  are  played  successively.  The  regular  modal  semantics  is  beneficial,  because  it  is 
simpler.  The  operational  semantics  formalizes  the  intuition  behind  the  game  tree  in  Fig.  1  and 
relates  to  standard  notions  in  game-theory.  We  prove  in  Theorem  2  below  that  the  operational  game 
semantics  is  equivalent  to  the  regular  modal  semantics  from  Section  3.  The  operational  semantics 
makes  winning  strategies  explicit.  As  the  set  of  actions  A  for  a  hybrid  game,  we  choose: 

{I,  r,  s,  g,  d}  U  {(x  :=  6^)  :  x  variable,  0  term} 

U  {{x'  =  6  ^  H@r)  :  x  variable,  6  term,  H  formula,  r  G  M>o}  U  {?0  :  0  formula} 

For  game  a  U  0,  action  I  decides  to  descend  left  into  a,  r  is  the  action  of  descending  right  into  (3.  In 
game  a*,  action  s  decides  to  stop  repeating,  action  g  decides  to  go  back  and  repeat.  Action  d  starts 
and  ends  a  dual  game  for  The  other  actions  represent  assignment  actions,  continuous  evolution 
actions  (in  which  time  r  is  the  critical  decision),  and  test  actions. 

The  set  of  finite  sequences  of  actions  is  denoted  by  the  set  of  infinite  sequences  by 
The  empty  sequence  of  actions  is  ().  The  concatenation,  s"t,  of  sequences  s,  t  G  is  defined 
as  (si, . . . ,  Sn,  A, . . . ,  tm)  if  s  =  (si, . . . ,  Sn)  and  t  =  (fi, . . . ,  tm)-  For  an  a  G  A,  we  write  a3t 
for  (a)T  and  write  Va  for  V{a).  For  a  set  S'  C  A^^^  we  write  SA  for  {sA  :  s  G  S'}  and  TS'  for 
;  s  G  S'}.  The  state  \t]s  reached  by  playing  a  sequence  of  actions  t  G  A^^^  from  a  state  s  is 
inductively  defined  by  applying  the  actions  sequentially,  i.e.,  as  follows: 

1.  = 

2.  [x'  =  6  ^H@r~\s  =  V’ir)  where  (p  :  [0,  r]  — )■  5  differentiable,  V9(0)  =  s, 

and  </3(C)  £  [-^1  for  all  (  <  r .  Where  \x'  =  0  &  H@r~\  s  is  not  defined  if  no  such  (p  exists. 

1  not  defined  otherwise 

4.  [I],  =  [r],  =  [s],  =  [g],  =  [d],  =  [()],  =  s 

5.  \a"t\s  =  [tld-a]*)  for  a  G  A  and  t  G  A^^^ 

A  tree  is  a  set  T  C  A^^^  that  is  closed  under  prefixes,  that  is,  whenever  t  G  T  and  s  is  a  prefix  of 
t  (i.e.,  t  =  for  some  r  G  A^^^,  then  s  G  T.  A  node  t  G  T  is  a  successor  of  node  s  G  T  iff 
t  =  s"a  for  some  a  G  A.  By  leaf(T)  we  denote  the  set  of  all  leaves  of  T,  i.e.,  nodes  t  G  T  that 
have  no  successor  in  T.  The  operational  game  semantics  of  hybrid  game  a  is,  for  each  state  s,  a 
tree  0(0;)  (s)  C  A*^^)  defined  as  follows  (see  Fig.  2  for  a  schematic  illustration): 

1.  0(a;:=0)(s)  =  {(),(a;:=0)} 
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x:=e  x'  =  eSzH 


Figure  2:  Operational  game  semantics  for  hybrid  games  of  cG£ 


2.  g(x' =  =  {{),  {x' =  9  H@r)  :  r  G  M>o,</5(0)  =  s  for  some  (differentiable) 

9?  :  [0,r]  ^  5  such  that  and  (p{C)  G  {Hj  for  all  C  < 


3.  0(?0)(s)  = 


{(),(?0)}  ifsG[0] 
{(),  (?/a/se)}  otherwise 


4.  fl(a  U  f3){s)  =  {(),  (I),  (r)}  U  rfl(a)(s)  U  £0(/?)(s) 

5.  0(a;/3)(s)  =  0(a)(s)  U  (J  0(/?)([f],) 

teleaf(g(Q:)(s)) 


6. 


0(i>)  =  n{rc  A™:{(),(5),(g)}U  y  rg-0(a)([rgl,)-{(),(s),(g)} 


cry 


rggleaf(Z) 


7.  0(a'^)(.)  =  {(),(d)}Ud^0(a)(.)^{(),d} 


Angel  gets  to  choose  which  action  to  take  at  node  t  G  0(a)(s)  if  t  has  an  even  number  of  occur¬ 
rences  of  d,  otherwise  Demon  gets  to  choose.  In  the  former  case  we  say  Angel  acts  at  t,  in  the 
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latter  Demon  acts  at  t.  If  the  player  who  chooses  the  action  at  t  G  0(0;)  (s)  is  deadlocked,  because 
the  only  successor  actions  have  a  condition  that  is  not  satisfied  like  7 false  or  x'  =  6*  &  a;  >  0  at  a 
state  where  a;  <  0,  then  that  player  loses  immediately. 

A  strategy  for  Angel  from  initial  state  s  is  a  nonempty  subtree  a  C  0(q;)(s)  such  that 

1.  for  alH  G  a  at  which  Demon  acts,  Da  G  a  for  all  a  G  A  such  that  Da  G  0(0;) (s). 

2.  for  alH  G  a  at  which  Angel  acts,  t  ^  leaf(0(Q;)(s)),  there  is  a  unique  a  G  A  with  Da  G  a. 

Strategies  for  Demon  are  defined  accordingly,  with  “Angel”  and  “Demon”  swapped.  The  action 
sequence  cr  ©  r  played  from  state  s  when  Angel  plays  strategy  a  and  Demon  plays  strategy  r  from 
s  is  defined  as  the  sequence  (ai, . . . ,  a„)  G  A^^^  of  maximal  length  such  that 

{a  if  Angel  acts  at  (oi, . . . ,  an)  and  (ai, . . . ,  a„)"a  G  a 

a  if  Demon  acts  at  (oi, . . . ,  a^)  and  (oi, . . . ,  an)"a  G  r 

not  defined  otherwise 

By  definition  of  a  strategy  for  Angel/Demon,  the  a  is  unique.  A  winning  strategy  for  Angel  for 
winning  condition  X  S  from  state  s  is  a  strategy  a  C  0(0;) (s)  for  Angel  from  s  such  that, 
for  all  strategies  r  C  0(0;)  (s)  for  Demon  from  s:  Demon  deadlocks  or  [(T  ©  G  X.  A  winning 
strategy  for  Demon  for  (Demon’s)  winning  condition  X  S  from  state  s  is  a  strategy  r  ^  0(«)(s) 
for  Demon  from  s  such  that,  for  all  strategies  a  C  0(0;)  (s)  for  Angel  from  s:  Angel  deadlocks  or 
[a  ©  r]s  G  X.  By  definition,  it  cannot  be  that  Angel  has  a  winning  strategy  for  X  from  s  and, 
at  the  same  time.  Demon  has  a  winning  strategy  for  5  \  X  from  s.  If  we  understand  [a\(f)  as 
Demon  having  a  strategy  to  achieve  f,  this  justifies  the  consistency  direction  -'((q;)0  A  [oi]-^4>)  of 
[a\4)  GG  -i(q;)-'0.  Determinacy,  i.e.,  the  direction  {a)4>  V  [oi]^4>  of  W\4>  ^  holds  by 

definition  in  the  regular  modal  semantics  of  Sections,  but  can  now  be  justified  in  the  operational 
semantics  based  on  the  Borel  determinacy  theorem  [Mar75]. 

Theorem  1  (Determinacy).  Hybrid  games  are  determined,  i.e.,  for  any  hybrid  game  a,  initial  state 
s,  and  winning  condition  X  C  S,  either  Angel  has  a  winning  strategy  for  X  from  s  or  Demon  has 
a  winning  strategy  for  S\X  from  s. 

A  proof  is  in  Appendix  B.  We  show  that  the  regular  modal  semantics  from  Section  3  is  equiva¬ 
lent  to  the  operational  semantics  (proof  in  Appendix  C): 

Theorem  2  (Equivalent  semantics).  The  regular  modal  semantics  o/dGE  is  equivalent  to  the  game 
tree  operational  semantics  of  clG£,  i.e.,  for  each  hybrid  game  a,  each  initial  state  s,  and  each 
winning  condition  X  C  S  for  Angel: 

s  G  ?q(X)  there  is  a  winning  strategy  a  C  Q{a){s)  for  Angel  for  X  from  s 
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5  Proof  Calculus 

Simple  clG£  formulas  can  be  checked  by  a  simple  tableau  procedure  that  expands  the  options  of 
all  players  and  detects  loops  for  termination  as  shown  in  the  game  tree  examples.  This  does  not 
extend  to  more  general  cG£  formulas,  however,  which  have  inherently  infinite  states.  In  Fig.  3,  we 
present  a  proof  calculus  for  proving  validity  of  general  clG£  formulas. 

The  proof  calculus  of  clG£  shares  sev¬ 
eral  axioms  with  the  proof  calculus  of  d£ 
[PlaOS,  Plal2b,  Plal2a].  We  use  the  first- 
order  Hilbert  calculus  (modus  ponens  and 
V-generalization)  as  a  basis  and  allow  all 
instances  of  valid  formulas  of  first-order 
real  arithmetic  as  axioms,  which  are  decid¬ 
able  [TarSl].  Axiom  (;=)  is  Hoare’s  as¬ 
signment  rule.  Formula  0(6*)  is  obtained 
from  (j){x)  by  substituting  6  for  x,  pro¬ 
vided  X  does  not  occur  in  the  scope  of 
a  quantifier  or  modality  binding  a;  or  a 
variable  of  6*.  A  modality  (a)  containing 
2::=  or  z'  binds  z.  In  axiom  ('),  y{-)  is 
the  (unique  [Wal98,  Theorem  10. VI])  so¬ 
lution  of  the  symbolic  initial  value  prob¬ 
lem  y'{t)  =  6*,  1/(0)  =  X.  It  goes  without 
saying  that  variables  like  t  are  fresh  in 
Fig.  3.  Axioms  (?),  (U),  and  (;)  are  as 
in  d£  [Plal2b].  Axiom  (*)  is  the  itera¬ 
tion  axiom.  The  converse  of  (*)  can  be 
derived'  and  is  also  denoted  by  (*).  Ax¬ 
iom  (^)  is  specific  to  clG£  and  character¬ 
izes  dual  games.  Recall  =  [q;]0. 

Axiom  says  that  Angel  has  a  winning 
strategy  for  0  in  dual  game  iff  Demon  has  a  winning  strategy  for  0  in  a.  Axiom  ^  is  the 
converse  Barcan  formula  of  first-order  modal  logic,  characterizing  monotonic  domains  [HC96].  In 
order  for  it  to  be  sound  for  clG£,  x  must  not  occur  in  a,  written  x  ^  a. 

Rule  R  is  the  generalization  rule  of  regular  modal  logic  C.  Rule  FP  is  the  fixpoint  rule,  char¬ 
acterizing  (q:*)0  as  a  smallest  fixpoint.  Rule  con,  in  which  v  does  not  occur  in  a,  is  a  variation  of 
Harel’s  convergence  rule,  suitably  adapted  to  hybrid  games  over  M.  It  expresses  that,  if  Angel  has 
a  strategy  to  make  progress  from  (p{v)  to  (p{v  —  1)  along  a,  then,  from  any  state  where  (p{v)  holds, 
she  has  a  strategy  to  reach  ip{v)  for  some  u  <  0  by  repeating  a. 

'  0  V  (a)(a*)0  — >■  (a*)0  is  valid  by  (*).  Thus,  (a)(0  V  (a)(a*)0)  — >■  (a)(a*)0  by  R.  Hence,  0  V  (a)(0  V 
{a){a*)(j>)  — >■  0  V  (a) (a*)0  by  propositional  congruence.  Consequently,  (q;*)0  — >■  0  V  (a)  (q;*)0  by  FP. 


(:=)  (x  :=  6')0(a;)  <H- 0(0) 

(?)  (?0)0F^  (0  A0) 

(')  {x' =  e)(j)  ^3t>0{x:=y{t))4>  (y'{t)  =  d) 

(U)  {a  U  0)0  <H-  (q;)0  V  (0)0 
(;)  (a;0)0  (a)(0)0 

{*)  0  V  (a)(ct*)0  (a*)0 

if-)  (a^)(j)  <H-  ->{a)->(j) 

3x  {a)(j)  ^  {a)3x  (J)  (x  ^  a) 

0  — )■  0 


R 


FP 


con 


(q;)0  — )■  (a)0 
0  V  (q;)0  — )■  0 
(q;*)0  — )■  0 

ip{v)  A  u  >  0  — )■  {a)ip{v  —  1) 


(v  ^  a) 


(f{v)  — )■  (ct* )  3u<0  (/9(u) 

Figure  3:  Differential  game  logic  proof  rules 
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Example  1.  The  dual  filibuster  game  formula  from  Section  3  can  be  proved  as  follows: 


“  3;  =  0^0  =  0V1  =  0 _ 

=  0  -^{x  :=  0)a;  =  0  V  {x  :=  l)a;  =  0 
=  0  -^{x  :=  0  U  a;  :=  l)a;  =  0 


a;  =  0  — )■  [x  :=  0  n  a;  :=  l]a;  =  0 


ind 


a;  =  0  — )-[(a;  :=  0  n  a;  :=  l)*]a;  =  0 
a;  =  0  — )-((a;  :=  0  U  a;  :=  l)^)a;  =  0 


Almost  the  same  clG£  proof  proves  x  =  0— )-((a;  :=  a;  U  a;  :=  l)^)a;  =  0.  We  note  that  significantly 
more  challenging  systems  with  complex  hybrid  dynamics  are  provable  in  the  clG£  calculus. 

The  primary  difference  of  the  axiomatization  of  clG£  compared  to  differential  dynamic  logic 
[Plal2a]  is  the  addition  of  axiom  {^)  for  dual  games,  the  absence  of  axiom  K,  absence  of  the  Barcan 
formula  (clG£  only  has  the  converse  Barcan  axiom  ^),  and  absence  of  Godel’s  necessitation  rule 
(clG£  only  has  the  regular  modal  rule  R).  Given  the  big  semantical  difference  of  run  versus  game, 
it  is  striking  to  see  this  concise  difference  in  axioms.  This  indicates  that  we  have  found  the  right 
logical  characterizations.  Due  to  the  absence  of  K,  we  will  see  (in  Section  6)  why  the  induction 
axiom  and  the  convergence  axiom  are  also  absent  in  dGC,  while  corresponding  rules  are  still  valid. 
The  induction  rule  (ind,  which  is  derivable  from  FP)  and  the  convergence  rule  (con)  are  sound  for 
clG£  (a  proof  is  in  Appendix  D). 

Lemma  2.  Rule  FP  and  the  induction  rule  (ind)  of  dynamic  logic  are  interderivable  in  the  dGC 
calculus: 

^  r  .1  / 
yj  — )■  [0*1^! 

Theorem  3  (Soundness).  The  dG£  proof  rules  in  Fig.  3  are  sound. 

A  proof  is  in  Appendix  D.  The  proof  rules  in  Fig.  3  do  not  handle  differential  equations  with 
evolution  domain  constraints  (other  than  true).  Unlike  in  (poor  test)  differential  dynamic  logic 
[PlaOS,  PlalO,  Plal2a],  however,  every  hybrid  game  containing  a  differential  equation  with  evolu¬ 
tion  domain  constraints  can  be  replaced  equivalently  by  a  hybrid  game  without  evolution  domain 
constrains  (even  with  poor  tests,  i.e.,  each  test  70  uses  only  first-order  formulas  0)! 

Lemma  3.  Evolution  domains  of  differential  equations  are  definable  as  hybrid  games.  That  is,  for 
every  hybrid  game  a,  there  is  a  hybrid  game  (3  that  is  equivalent  (i.e.,  s^q(X)  =  s^/3(X)  for  all  X) 
but  has  no  evolution  domain  constraints. 


Proof.  When,  for  notational  convenience,  we  assume  the  (vectorial)  differential  equation  x'  =  6(x) 
to  contain  a  clock  Xq  =  1  and  that  to  and  x  are  fresh  variables,  then  the  following  two  hybrid  games 
are  equivalent: 

x'  =  9(x)hH(x)  =  to  :=  Xo]  x' =  6{x)-,  (z  :=  x]  z' = —6{z))'^-,3{zo  >  to  ^  H{z))  (1) 
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revert  flow  and  time  xq; 

Demon  checks  H  backwards  until 

to 


Figure  4:  Angel  evolves  x  forwards  in  time  along  x'  =  9{x),  Demon  checks  evolution  domain 
backwards  in  time  along  z'  =  —9{z')  on  a  copy  z  of  the  state 

See  Fig.  4  for  an  illustration.  Suppose  the  current  player  is  Angel.  The  idea  behind  game  equiva¬ 
lence  (1)  is  that  the  fresh  variable  to  remembers  the  initial  time  Xq,  and  Angel  then  evolves  along 
x'  =  9{x)  for  any  amount  of  time  (Angel’s  choice).  Afterwards,  the  opponent  Demon  copies 
the  state  x  into  a  fresh  variable  (vector)  2;  that  it  can  evolve  backwards  along  {z'  =  —9{z)Y  for 
any  amount  of  time  (Demon’s  choice).  The  original  player  Angel  must  then  pass  the  challenge 
^{zo  >  to  ^  H{z)),  i.e.,  Angel  loses  immediately  if  Demon  was  able  to  evolve  backwards  and 
leave  region  H{z)  while  satisfying  zo  >  to,  which  checks  that  Demon  did  not  evolve  backward  for 
longer  than  Angel  evolved  forward.  Otherwise,  when  Angel  passes  the  test,  the  extra  variables  to,  z 
become  irrelevant  (they  are  fresh)  and  the  game  continues  from  the  current  state  x  that  Angel  chose 
in  the  first  place  (by  selecting  a  duration  for  the  evolution  that  Demon  could  not  invalidate).  □ 

6  Separating  Axioms 

In  order  to  illustrate  how  and  why  (jG£  differs  from  differential  dynamic  logic  d£  [Pla08,  Plal2a], 
i.e.,  how  reasoning  about  hybrid  games  really  differs  from  reasoning  about  hybrid  systems,  we 
identify  separating  axioms,  that  is,  axioms  of  d£  that  do  not  hold  in  (jG£.  For  each  such  fun¬ 
damental  separating  axiom,  we  give  a  simple  counterexample  illustrating  what  makes  the  hybrid 
game  focus  of  cG£  behave  differently  than  hybrid  systems.  First,  we  show  that  clG£  only  is  a  reg¬ 
ular  modal  logic,  while  d£  is  a  normal  modal  logic  [HC96].  Axiom  K,  the  modal  modus  ponens 
from  modal  logic  [HC96],  dynamic  logic  [Pra76],  and  differential  dynamic  logic  [Plal2a]: 

H(0  ^  (H0  ^  N'0) 

is  not  sound  for  dGC  as  witnessed  using  the  choice  a  =  (x  :=  1  fl  x  :=  0);  ?/  :=  0  and  0  =  x  =  1, 
Ip  =  y  =  1',  see  Fig.  5.  The  global  rule  version  of  K,  i.e.,  the  implicative  version  of  GddeTs 
generalization  rule  is  still  sound  and  derives  with  from  R  using  a  = 

(p  ^  pj 
[P](p  [P]pj 

The  normal  Godel  generalization  rule  G,  i.e.. 


[a](p 
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<>□□000 

[a]  (x  =  1  —)•?/  =  1)  [a]x  =  1  [a]y  =  1 

Figure  5:  Game  trees  for  counterexample  to  axiom  K  using  a  =  (x  :=  1  fl  a;  :=  0);  j/  :=  0. 


however,  is  not  sound  for  clG£  as  witnessed  by  the  choice  a  =  {IfalseY,  0  =  true. 

The  Barcan  axiom  B,  which  characterizes  anti-monotonic  domains  in  first-order  modal  logic 
[HC96],  is  sound  for  constant-domain  first-order  dynamic  logic  and  for  differential  dynamic  logic 
dC  when  x  does  not  occur  in  a  [Plal2a] 

(a)3x  0  — >  3x  (a)0  (x  ^  a) 

but,  unlike  the  converse  Barcan  the  Barcan  axiom  is  not  sound  for  clG£  as  witnessed  by  the 
choice  a  =  y  :=  y  +  and  (f>  =  x  >y.  The  equivalent  Barcan  formula 

Vx  [a]0  — )■  [q;]Vx0  (x  ^  a) 

is  not  sound  for  dOC  as  witnessed  by  the  choice  a  =  y  :=y  +  and  (j)  =  y  >  x. 

The  first  arrival  axiom,  {a*)(j)  — >  0  V  (q!*)(-'0  A  (a)0),  which  holds  for  dC,  expresses  that,  if 
0  holds  after  a  repetition  of  a,  then  it  either  holds  right  away  or  a  can  be  repeated  so  that  0  does 
not  hold  yet  but  can  hold  after  one  more  repetition.  This  axiom  does  not  hold,  however,  for  (jG£ 
as  witnessed  by  a*  =  {{x  :=  x  —  y  D  x  :=0);y  :=  x)*  and  0  =  x  =  0,  since  two  iterations  surely 
yield  x  =  0,  but  one  iteration  may  or  may  not  yield  x  =  0,  depending  on  Demon’s  choice;  see 
Fig.  6. 

Unlike  induction  rule  ind,  induction  axiom  [a*](0  — )■  [q!]0)  — >  (0  — )■  [a*]0),  which  is  the  dual 
of  the  first  arrival  axiom,  holds  for  d£,  but  does  not  hold  for  (jG£  as  witnessed  by 

a*  =  ((x  :=  a;  a  :=  0)  n  X  :=  0)* 


and  0  =  X  =  1;  see  Fig.  7. 

Note  that  the  failure  of  the  induction  axiom  in  this  counterexample  hinges  on  the  fact  that  Angel 
is  free  to  decide  whether  or  not  to  repeat  a  after  each  round  depending  on  the  state.  This  would  be 
different  if  we  had  chosen  an  advance  notice  semantics  for  a*  in  which  the  number  of  times  that 
game  a  will  be  repeated  would  have  to  be  announced  by  the  player  when  the  loop  begins.  In  this 
example,  if  Angel  announces  that  she  has  chosen  n  repetitions  of  the  game,  then  Demon  wins  (for 
a  7^  0)  by  choosing  the  x  :=  0  option  n  —  1  times  followed  by  one  choice  of  x  :=  a;  a  :=  0.  Such 
games  that  need  a  prior  commitment  from  the  player  on  the  number  of  repetitions  before  a*  starts 
would  lead  to  a  very  different  semantics.  If  we  had  chosen  an  advance  notice  semantics,  then  the 
following  formula  would  be  valid,  but  it  is  not  valid  in  dGC  (see  Fig.  7  right): 

x  =  lAa  =  l— )■  [((x  :=  a;  a  :=  0)  n  x  :=  0)*]x  =  1  (2) 
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Figure  6:  Game  trees  for  counterexample  to  first  arrival  axiom  (notation:  x,  y)  with  game 
a  =  {x  ■.=  X  —  y  n  X  ■.=  ^)]y.=  X.  (left)  {a*)x  =  0  is  true  no  matter  which  choices  Demon  makes 
(right)  {a*){x  7^  0  A  {a)x  =  0)  is  false,  because  stop  can  be  defeated  hy  x-.=  x  —  y  and  repeat 
can  be  defeated  by  a;  :=  0. 

The  dual  formula,  instead,  is  valid  in  dGC  but  not  with  advance  notice  (Fig.  7): 

a;  =  lAa  =  l— )■  (((x  :=  a;  a  :=  0)  fl  x  :=  0)*)x  ^  1 

Our  semantics  is  more  general,  because  advance  notice  games  can  be  expressed  easily  in  dGC  by 
having  the  players  choose  a  counter  c  before  the  loop  that  decreases  to  0  during  the  repetition.  The 
advance  notice  semantics  for  (2)  can  be  expressed  in  clG£,  e.g.,  as 

x  =  lAa  =  1  — )■  [c:=0;c:=c+l*;(((x:=a;a:=0)nx:=0);c:=c  —  l)*;?c  =  0]x  =  1 

The  dGC  semantics  cannot,  however,  be  expressed  conversely  in  an  advance  notice  semantics,  so 
the  clG£  semantics  is  strictly  more  general.  Many  other  game  interactions  can  be  defined  in  similar 
ways  from  the  elementary  operators  that  dOC  provides. 


7  Related  Work 

Discrete  games  and  the  interaction  of  games  and  logic  for  various  purposes  have  been  studied  with 
much  success  [vNM55,  Par85,  HS97,  PP03].  Differential  games  have  been  studied  exhaustively 
[Isa67]  and  are  of  interest  to  understand  phenomena  in  games  where  the  actions  are  continuous  in 
time.  Here,  we  look  at  the  complementary  model  of  hybrid  games  where  the  underlying  system 
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Figure  7:  Game  trees  for  counterexample  to  induction  axiom  (notation:  x,a)  with  game 
a  =  {x  :=  a;a:=0)  n  X  :=  0.  (left)  [q;*](x  =  1  — >■  [a]x  =  1)  is  true  by  the  strategy  “if  Angel 
chose  stop,  choose  x  :=  a;  a  :=  0,  otherwise  always  choose  x  :=  0”  (right)  [a*]x  =  1  is  false  by 
strategy  “repeat  once  and  repeat  once  more  if  x  =  1,  then  stop” 


is  that  of  a  hybrid  system  with  interacting  discrete  and  continuous  dynamics,  but  the  game  actions 
are  chosen  at  discrete  instants  of  time,  even  if  they  take  effect  in  continuous  time. 

Reachability  aspects  of  games  for  hybrid  systems  have  been  studied  before.  A  game  view  on 
hybrid  systems  verification  has  been  proposed  by  Tomlin  and  coauthors  following  a  Hamilton- 
Jacobi-Bellman  PDF  formulation  [TMBO03,  MBT05],  with  subsequent  extensions  by  Gao  et  al. 
[GLQ07].  Their  primary  focus  is  on  adversarial  choices  in  the  continuous  dynamics,  which  is  very 
interesting,  but  not  what  we  consider  here.  It  is  also  easier  to  get  the  axioms  of  our  proof  calculus 
sound  than  numerical  approximations  of  PDFs.  WCTF  properties  of  STORMFD  hybrid  games, 
which  require  monotonicity  properties  for  the  system  evolution,  have  been  shown  to  be  decidable 
using  bisimulation  quotients  [VPVDll].  The  special  case  of  o-minimal  hybrid  games  has  been 
shown  to  be  decidable  earlier  by  Bouyer  et  al.  [BBC07].  The  case  of  rectangular  hybrid  games  is 
known  to  be  decidable  [HHM99] . 

We  take  a  complementary  view  and  study  logics  and  proofs  for  hybrid  games  instead  of  search¬ 
ing  for  decidable  fragments  using  bisimulation  quotients  [HHM99,  BBC07,  VPVDl  1].  Our  notion 
of  hybrid  games  has  more  flexible  nested  hybrid  choices  for  the  agents  than  the  fixed  controller- 
plant  interaction  considered  in  related  work.  We  consider  more  general  logical  formulas. 
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8  Conclusions  and  Future  Work 


We  have  presented  dijferential  game  logic  (clG£)  for  hybrid  games,  which  unifies  differential  dy¬ 
namic  logic  (d£)  and  Parikh’s  game  logic.  We  have  provided  a  regular  modal  semantics  for  clG£, 
a  proof  calculus,  and  proved  soundness.  Our  logical  setting  enables  us  to  characterize  the  essential 
logical  difference  of  hybrid  systems  proving  compared  to  hybrid  games  proving  by  identifying  the 
axioms  that  separate  d£  and  clG£:  the  axiom  of  duality,  axiom  K,  Barcan  axiom,  and  Godel’s  gen¬ 
eralization  rule  (replaced  with  the  regular  rule).  We  observe  that  there  is  a  striking  similarity  of  our 
clG£  proof  calculus  with  our  calculus  for  stochastic  differential  dynamic  logic  SdC  [Plal  1,  Plal2b], 
despite  their  fundamentally  different  semantical  presuppositions  (adversarial  nondeterminism  ver¬ 
sus  stochasticity).  This  leads  us  to  conjecture  the  existence  of  a  deeper  logical  connection  relating 
stochastic  and  adversarial  uncertainty. 
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A  Proof  of  Scott- Continuity 

We  provide  a  proof  of  the  result  about  Scott-continuity. 

Proof  of  Lemma  1.  By  monotonicity,  show  the  converse  inclu¬ 

sion  by  induction  on  the  structure  of  a:  <^a(Une/  —  Une/  ^aiXn). 

1-  =  {S  e  S  e  e  X4  = 

Une/  ‘^^■=d{^n),  because  sf G  Une/  implies  G  for  some  n. 

2.  W=0&//(UnG/^«)  =  {<^(0)  ^  •  T^(C)  =  [^4(0  and  <^(0  G  |//1  for  all  C  <  r  for 

some  (differentiable)  99  :  [0,r]  5  such  that  ip{r)  G  C  Une/ = 

{99(0)  E  S  -.  . . .  (p{r)  G  Xn},  because  (p{r)  G  Une/  implies  (p{r)  G  for  some  n. 

3.  ?vUUne/^n)  =  M  nUne/^n  =  Une/(M  ^  =  Jne/ 

4.  ?.U//(Une/^n)  =  ?4Une/^4  U^UUne/^n)  =  (Une/ )  U  (Une/‘^4^U) 

~  Une/(^o:(^^)  U^/3(3fn))  =  Une/ ‘'“U/3 (2fn) 

5.  w(Une/^4  =  ?U^4Une/^n))  =  ?UUne/ )  =  Une/ )  =  Un^I  ^aA^n) 

6.  w(Une/^«)  =  l^^-iUnei^n)  U  X^)  u  ?«(w(Une/^«))  *e  least 

fixpoint.  We  will  show  that  Une/^«*(^«)  also  is  a  fixpoint,  implying  ?a*(Une/ — 

Une/^«*(XU.  Indeed,  (Une/^U  U^UUne/^«*(^U)  =  (Une/^U  UUne/<^4w(3^n))  = 

Une/(^n  U^4w(X4)  Une/^«*(^n).  □ 

B  Determinacy  Proof 

In  this  section,  we  prove  determinacy  (Theorem  I)  using  the  operational  semantics  of  clG£  based 
on  the  Borel  determinacy  theorem. 

Theorem  4  (Borel  determinacy  theorem  [Mar75,  Kec94,  Theorem  20.6]).  Let  T  a  nonempty 
pruned  tree  on  a  A  and  let  X  C  [T]  Borel  in  the  product  topology  on  induced  by  the  discrete 
topology  on  A.  Then  the  Gale-Stewart  game  with  rules  T  and  winning  condition  X  is  determined. 

With  this  deep  result  from  the  literature,  we  can  prove  determinism  of  clG£  (Theorem  1): 

Proof  of  Theorem  1.  Determinacy  follows  from  the  Borel  determinacy  theorem  (Theorem  4),  be¬ 
cause  there  are  no  draws  and  all  plays  have  (unbounded)  finite  length  since  Angel  and  Demon, 
respectively,  can  only  choose  to  repeat  a*  and  a^,  respectively,  finitely  often  (repetition  is  defined 
by  a  least  fixpoint).  For  this  we  show  that  the  winning  condition  is  open  in  the  product  topology 
on  the  action  sequences  induced  by  the  discrete  topology  on  the  action  set  A.  To  see  this,  note 
that  the  set  of  those  sequences  is  a  union  of  sets  of  the  form  {Pr  :  r  G  A^}  for  some  finite  action 
sequence  t  G  which  are  open  in  the  product  topology  on  A^.  Furthermore,  arbitrary  unions 
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of  open  sets  are  open.  In  particular,  the  winning  conditions  are  Borel  in  the  product  topology  on 
induced  by  the  discrete  topology  on  A.^  A  hybrid  game  can  be  cast  easily  as  a  Gale-Stewart 
game  (a  game  of  infinite  length  in  which  the  players  alternate  strictly),  which  is  assumed  by  the 
Borel  determinacy  theorem,  just  by  adding  a  stuttering  action  f  to  A.  The  stuttering  action  defined 
by  [f]^  =  s  is  the  only  action  that  a  player  can  choose  in  the  Gale-Stewart  game  when  the  next 
move  in  the  hybrid  game  0(0;)  (s)  is  not  his  choice  or  the  hybrid  game  has  terminated  already.  □ 


C  Equivalence  of  Regular  Modal  and  Operational  Semantics 

We  prove  equivalence  of  the  regular  modal  semantics  from  Section  3  and  the  operational  game 
semantics  from  Section  4. 

Proof  of  Theorem!.  We  proceed  by  induction  on  the  structure  of  a  (and,  simultaneously,  on  the 
number  of  times  repetitions  in  a  are  repeated)  and  prove  equivalence.  As  part  of  the  equivalence 
proof,  we  construct  a  winning  strategy  a  achieving  X  using  that  s  E  s^a(3f). 

1-  -S  e  <^ay.=eiX)  e  X  \a  ©  t]s  =  \x  :=  6]s  =  G  X,  using 

a^='{(a;:=0)}. 

2.  s  E  ^x'=e&iHiX)  s  =  (p{0),(p{r)  E  X  for  some  r  G  M  and  some  (differentiable) 

[0,r]  ^5suchthat^^^(C)  =  [0l<^(^)and(/?(C)  G  [i/]forallC<r  [a©r],  = 

\x'  =  9hH@r^s  =  ip(r)  E  X,  using  a  {{x'  =  6*&if@r)}. 

3.  s  G  ??0(X)  =  [0]  nx  [a  ©  r]s  =  [?0]^  =  s  G  X,  using  a  =  {(?0)}. 

4.  s  G  S'au/3(X)  =  ^a(X)  U  S'/3(X)  s  E  S'a(X)  or  s  G  S'/3(X).  By  induction  hypothesis, 

this  is  equivalent  to:  there  is  a  winning  strategy  a  a  C  0(0;)  (s)  for  Angel  for  X  from  s  or 
there  is  a  winning  strategy  U/j  C  0(/3)(s)  for  Angel  for  X  from  s.  This  is  equivalent  to  a  C 

def 

0(0;  U  /3)(s)  being  a  winning  strategy  for  Angel  for  X  from  s,  using  either  a  =  {(I)}  U  Taa 
or  a  =  {(r)}  U  rV^. 

5.  s  G  qa-,ii{X)  =  ^o(^^(X))  By  induction  hypothesis,  this  is  equivalent  to  the  existence  of 
a  strategy  a  a  C  0(0;)  (s)  for  Angel  such  that  for  all  strategies  r  C  0(0;)  (s)  for  Demon: 
[(Ta  ©  r]s  G  ^/3(X).  By  induction  hypothesis,  [ua  ©  r]s  G  ^/^(X)  is  equivalent  to  the  ex¬ 
istence  of  a  winning  strategy  for  Angel  (which  depends  on  the  state  [(Ja  ©  that  the 
previous  a  game  led  to)  with  winning  condition  X  from  [ua  ©  r]s.  This  is  equivalent  to 

C  0(0;;  l3){s)  being  a  winning  strategy  for  Angel  for  X  from  s,  using 

a  =Va  U  ((Ta  ©  tYcTt 
o-Q;©r 

^Observe  that  the  winning  conditions  are  Borel  in  a  different  topology  than  the  Euclidean  topology. 
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The  union  is  over  all  leaves  (Ja®  r  for  which  the  game  is  not  won  by  a  player  yet.  Note  that 
a  is  a  winning  strategy  for  X,  because,  for  all  plays  for  which  the  game  is  decided  during  a, 
the  strategy  Uq  already  wins  the  game.  For  the  others,  ar  wins  the  game  from  the  respective 
state  [(Tq,  ©  r]  s  that  was  reached  by  the  actions  (Jq,  ©  r  according  to  Demon’s  strategy  r. 

6.  We  prove  the  case  a*  using  a  simultaneous  induction  on  the  number  of  repetitions  of  a,  si¬ 

multaneously  with  the  induction  on  the  structure  of  hybrid  games.  This  simultaneous  induc¬ 
tion  is  well-founded,  because  a*  only  repeats  a  finitely  often  (least  fixpoint).  s  e  = 

C  5  ;  X  U  ^0,(2')  C  Z}  implies  s  G  X  or  s  G  S^Q(<^a*(X)).  In  the  first  case  (s  G  X), 

def 

Angel  already  wins  with  the  winning  strategy  a  =  {(s)},  so  we  only  need  to  consider  the 
second  case.  By  induction  hypothesis  (a  is  structurally  simpler  than  a*),  this  is  equivalent 
to:  a  =  {(s)}  is  a  winning  strategy  for  Angel  for  X  from  s  or  there  is  a  winning  strategy 
o'a  ^  0(«)('S)  for  Angel,  i.e.,  for  all  strategies  r  C  g(Q;)(s)  for  Demon:  Demon  deadlocks 
or  [o-Q  ©  G  ^Q*(X).  By  induction  hypothesis  (from  [cTq,  ©  r]*  Angel  can  win  X  with 
less  repetitions  than  from  s),  [(Jo  ©  r]  ^  G  ^q,*  (X)  is  equivalent  to  the  existence  of  a  winning 
strategy  ar  for  Angel  (which  depends  on  the  state  [(Tq,  ©  that  the  previous  a  game  led 
to)  with  winning  condition  X  from  [aa  ©  t]s.  This  is  equivalent  to  a  C  0(0;*) (s)  being  a 
winning  strategy  for  Angel  for  X  from  s,  using 

a  =  {(g)}UgV«U  IJ  g"(a«©r)V^ 

0-a®T 

The  union  is  over  all  leaves  (Tq,  ©  r  for  which  the  game  is  not  won  by  a  player  yet.  Note 
that  the  above  a  is  a  winning  strategy  for  X,  because,  for  all  plays  for  which  the  game  is 
decided  during  the  first  a,  the  strategy  (Jq,  already  wins  the  game.  For  the  others,  ar  wins  the 
game  from  the  respective  state  [cTq  ©  that  was  reached  by  the  actions  Ua  ©  r  according 
to  Demon’s  strategy  r  for  the  first  repetition  of  a.  The  converse  direction  uses  the  fact  that 
every  game  play  is  finite,  hence,  all  strategies  choose  g  only  finitely  often  on  each  path, 
which  makes  the  repetition  well-founded  (least  fixpoint). 

7.  s  G  s^Q,d(X)  =  S  \  ^Q,(iS  \  X)  s  ^  <^ai<S  \  X).  By  induction  hypothesis,  this  is 

equivalent  to:  there  is  no  winning  strategy  a  C  0(0;) (s)  for  Angel  winning  S\X  from  s.  By 
Theorem  1,  this  is  equivalent  to:  there  is  a  winning  strategy  r  C  0(0;)  (s)  for  Demon  winning 
X  from  s.  Since  the  nodes  where  Angel  acts  swap  with  the  nodes  where  Demon  acts  when 
moving  from  a  to  this  is  equivalent  to:  there  is  a  winning  strategy  a  C  0(0;'^) (s)  for 

def 

Angel  winning  X  from  s  using  a  =  {(d)}  U  d"r  U  d"r"d. 


□ 


D  Soundness  Proof 

First,  we  prove  that  FP  and  ind  are  interderivable  in  the  clG£  calculus. 
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Proof  of  Lemma  2.  Rule  ind  derives  from  FP:  We  first  derive  the  following  variant 


(indR) 


f  — )■  [a]%lj  f  ^  (j) 


From  ip  — )■  [a]il)  and  f  ^  <p  propositionally  derive  ip  ^  f  A  [a]ip,  from  which  contraposition 
and  propositional  logic  yield  ->(p  V  -■[q;]'^  — )■  ->ip.  By  [a]ip  =  -'{a)-'ip,  this  is  an  abbreviation  for 
-10  V  (a) -'Ip  — )■  ->ip.  Now  FP  derives  {a*)-'(p  -A  -'ip,  which,  by  duality,  is  -'[a*](p  -A  -'ip,  which 

gives  Ip  -A  [a*\(p  by  contraposition.  The  classical  [J -induction  rule  ind  follows  by  0  =  From 
ind,  the  variant  ind^  is  derivable  again  by  R  on  0  — )■  0. 

Rule  FP  derives  from  ind:  From  0  V  {q)iP  -A  ip,  propositionally  derive  (p  ^  ip  and  {a)ip  -A-  ip. 
By  R,  the  former  gives  {a*)(p  — )■  {a*)ip.  By  contraposition,  the  latter  derives  -'ip  — )■  -'{a)ip,  which 
is  -'Ip  -A  [a] -10  by  duality.  Now  ind  derives  -'ip  — )■  [a*]-'ip.  By  contraposition  -i[q;*]-i0  — )■  ip, 
which,  by  duality,  is  {a*)ip  — )■  ip.  Thus,  {a*)(p  -A  iphy  the  formula  derived  above.  □ 

Now  we  prove  soundness  of  the  clG£  proof  calculus. 

Proof  of  Theorem  3.  Soundness  of  modus  ponens  (MP)  is  simple  and  not  shown.  In  order  to  prove 
soundness  of  an  implication  axiom  0  — )■  0,  we  fix  any  set  of  states  S,  and  need  to  show  [0]  C  [0] . 
To  prove  soundness  of  an  equivalence  axiom  (p  -H-  ip,  we  need  to  show  [0]  =  |0] .  To  prove  sound¬ 
ness  of  a  rule 


Ip 

we  consider  any  set  of  states  S  and  assume  that  0  is  valid  in  S,  i.e.,  |0]  =  S  and  prove  that  ip  is 
valid  in  S,  i.e.,  |0]  =  S. 

(;=)  l{x-.=  e)(p{x)\  =  ^^^([0(a;)])  =  [s  e  S  ■.  G  [0(a;)]}  =  [s  e  S  ■.  s  e  [0(0)]}  = 
|0(0)] ,  where  the  middle  equation  holds  by  the  substitution  lemma.  We  can  use  the  classical 
substitution  lemma  if  0(0)  is  in  first-order  logic.  Otherwise  the  proof  of  the  substitution 
lemma  for  differential  dynamic  logic  d£  [PlalO,  Lemma  2.2]  immediately  generalizes  to 
CIG£. 

0  =  0)0]  =  w=e([0])  =  {<^(0)  G  5  ;  ^^^^(C)  =  [0]^(^)  for  all  C  <  r  for  some 

99  :  [0,  r]  — )■  5  such  that  Lp{r)  G  [0]  }•  On  the  other  hand,  we  have 

I3t>0  {x  :=y{t))(p}  =  {s  G  iS  :  s}  G  {{x  :=  y{t))(pl  for  some  r  >  0}  =  {s  G  5  ;  s}  G 

{m  G  5  ;  G  [0]}  for  some  r  >  0}  =  {s  G  5  ;  (s})!^*'  G  [0|  for  some  r  >  0}. 

The  inclusion  “0”  between  those  two  sides  follows,  because  the  function  :=  {s^)x  * 

solves  the  differential  equation  x'  =  0  by  assumption.  The  inclusion  “C”  follows,  because 
the  solution  of  the  smooth  differential  equation  0  =  0  is  unique  [PlalO,  Lemma  2.1]. 

(?)  [(?0)0|  =  <^?V,([0])  =  [0]  n  [0]  =  [0  A  0] 

(U)  |(aU0)0]  =?au/3([0l)  =  ?a([0])  U?/3([0])  =  [(a)0]  U  1(0)0]  =  [(a)0V  (0)01 
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(;)  [(tt;/5)0l  =  W(M)  =  ^a(?/3([0l))  =  ?a([(/5)0l)  =  l{a){f3)(g. 

O  [(tt'^)0l  =  w([0l)  =  10])  =  5\?«([^0])  =  5  \  [(a)^0]  =  h(a)^0l 

(*)  Since  |(q;*)0]  =  Ca*([0])  =  AiZ.[0]  U  c«(-Z’)  is  a  fixpoint,  we  know  that  [(q;*)0]  =  |0]  U 
Ca([(a*)0])-  Thus,  [0  V  (a)(a*)0]  =  |0]  U  [(a)(a*)0]  =  [0]  UCa([(a*)0])  =  [(a*)0l.  In 
particular,  [0  V  (q;)(q;*)0]  C  |(q;*)0]. 

R  Assume  the  premise  0  — )■  0  is  valid  in  a  state  space  S,  i.e.,  |0]  C  |0].  Then  the  conclusion 
(q;)0  — )■  (q;)0  is  valid  in  S,  i.e.,  |(a)0]  =  Ca(|0|)  C  c«(|0])  =  [(a)0]  by  monotonicity  of 

FP  Assume  the  premise  0  V  {a)^jJ  — )■  0  is  valid  in  a  state  space  S,  i.e.,  [0  V  (a)0]  C  [0]. 
Thus,  10]  U  Ca([0|)  =  [0]  U  |(a)0]  =  [0  V  (a)0]  C  [0|.  That  is,  0  is  a  pre-fixpoint 
of  Z  =  |0]  U  Ca(-Z’).  Now  [(q;*)0]  =  c«*(|0])  =  /nZ.|0]  U  Ca(-Z’)  is  the  least  fixpoint 
and  even  the  least  pre-fixpoint  [Koz06,  Appendix  A],  because  of  monotonicity.  This  implies 
|(q;*)0]  C  [0|,  which  implies  that  (q;*)0  — )■  0  is  valid  in  S. 

con  By  premise,  we  know  for  all  values  of  v  that  [<^(n)  A  w  >  0]  C  l{a)(p{v  -  1)]  =  Ca([<^(n  - 
1)]).  To  prove  the  conclusion,  we  show  that  for  all  values  of  n:  [^^(n)]  C  |(Q;*)3n<0  99(n)]  = 
w([3n<0(^(n)|)  =  iJ,Z.l3v<0(p{v)l  U  Ca(^).  Since  [3t;<099(n)]  C  CQ*([3n<0 99(1;)]), 
this  holds  trivially  whenever  n  <  0.  By  induction  on  r  G  M,  we  assume  [^(n)]  C 
Ca*([3n<0(^(n)|)  for  all  V  <  r  and  prove  it  for  any  n  >  r.  It  is  enough  to  consider  the 
case  where  v  <  r  +  1.  Consider  any  s  G  [</5(n)]  (if  no  such  s  exists,  there  is  nothing  to 
show).  Since  n  >  r  >  0,  we  know,  by  premise,  that 

mon  /i 

s  G  [99(n)  An  >  0]  c  c„(|99(n  -  1)])  C  Ca(Ca*([3n<099(n)|))  C  Ca*([3n<0 v?(n)]) 

where  the  indicated  inclusions  are,  respectively,  by  the  induction  hypothesis  (n  —  1  <  r)  to¬ 
gether  with  monotonicity  (mon)  and  the  fact  (marked  n)  that  Cq*  ( [3n<0  93(n)| )  is  a  fixpoint. 
Thus,  s  G  Ca*([3n<0  99(n)])  =  [(Q;*)3n<0 99(n)|. 

^  We  show  that  [3a;  (q;)0]  =  {s  G  iS  ;  G  [(a;)0]  =  Ca([0])  for  some  r  G  M}  is  contained 
in  the  following  set,  because  of  the  assumption  x  ^  a: 

|(Q;)3a;0]  =  c«([3a;0])  =  Ca({s  G  5  :  G  [0|  for  some  r  G  M}).  Lets  G  S  with 

s^  G  Cq([0])  for  some  r  G  M.  Since  x  ^  a,  Ca([0])  is  independent  of  r,  and  the  same 
sequence  of  game  actions  is  applicable  from  si  as  from  s.  By  si  G  Ca([0]),  there  is  a  play 
of  game  a  from  si  to  some  state  of  the  form  tl  G  [0| .  Note  that  x  is  unchanged  during  a. 
Without  loss  of  generality,  we  can  choose  t  to  be  a  state  with  t{x)  =  r.  Since  x  ^  a,  the 
exact  same  play  of  game  a  leads  from  s  to  t,  just  with  the  value  s{x)  for  x.  This  proves  the 
inclusion  “C”  of  the  above  sets,  because  t  G  [3a;  0] .  Note  that  the  inclusion  “0”  does  not 
hold,  because,  even  if  a;  0  a,  the  winning  states  in  the  second  set  depend  on  the  value  of  x, 
so  the  strategy  may  depend  on  that  value.  □ 
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